Pages

Wednesday, September 28, 2011

These 4 phish message attempt to utilize CVE-2011-1991 type (1) deskpan.dll in the Display Panning CPL Extension. Here is a clear explanation of the deskpan.dll functionality - it is "a module related to the display settings of pictures on your display screen" It is normally located in C:\ windows\ system32\. The phishing messages contain a word document (0/44 on VT) and a dll file called deskpan.dll in one zip or rar archive, which is in fact a Taidoor trojan dll unrelated to the authentic Windows library. This exploit has strict requirements for execution. I have not been able to meet them and get it to work, just like in Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z, it is hard to trigger. A reader sent explanation how his exploit can be triggered - He wrote the following:

CMD.EXE executes vercslid.exe eveytime when a document file (doc/rtf/txt or jpg) is invoked from the command interpreter.
It is important that the name of the current working directory of
CMD.EXE is "(something){42071714-76D4-11D1-8B24-00A0C9068FF3}"and the directory contains both a (malicious) deskpan.dll and a (trigger) document file.

Enclosed
herewith letter from Director for ASEAN Political-Security Cooperation,
informing the date of the next Direct Consultations between ASEAN and
P5 Nuclear Weapon States, which will be held on 4 - 6 October 2011 in
New York. A Tentative Programme of the Direct Consultations is also attached for your kind reference. Thank you for your attention and continued cooperation.

Subject: overweight farmer against the government subsidy (hmm, not sure translation is right - M)
According to newspaper reports, the Legislative Yuan recently proposed
by the DPP group path farmer subsidy to pay the Second Reading of coded
case, the farmer benefits from the NT $ six thousand yuan to 7,000.
Scarcely seems reasonable, but if the depth is not difficult to find not
only absurd discussion overweight, elderly groups deepened a sense of
relative deprivation, there is no justice at all. I oppose the
government overweight elderly farmers' subsidy can be broadly grouped
into seven.

Message Headers

1. Date of the SEANWFZ Direct Consultations between ASEAN and P5 Nuclear Weapon States, New York

Payload

I think i managed to trigger the exploit once but I could not reproduce it. The first is different from the other three, it was meant for USA targets. The others are from Taiwan and meant for targets in Taiwan.

Just a quick note. There needs to be a '.' between the folder name and the bracket of the classid. For more information see http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.